← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #35833

[Bug 1478778] [NEW] VPNaas: strongswan: cannnot add more than one subnet to ipsec

  Thread PreviousDate PreviousThread Next 
Public bug reported:

I used this patch (VPNaaS: Fedora support for StrongSwan) for vpnaas on centos referring this bug
https://bugs.launchpad.net/neutron/+bug/1441788

1. I used a single node with 2 routers, create ike/ipsec/vpn-service/site vpn, the tunnels came
up fine
kilo-vpnaas-centos71


10.10.10.x/24--------R1-------------R2-------------20.20.20.x/24

R1 to R2 on 192.168.122.202, 192.168.122.203.

2. When i added one more interface to r1 and r2, 30.30.30.x and 40.40.40.x respectively, created
ike/ipsec/vpn-service/site-vpn, it did not create a new conn in ipsec.conf file, rather, it 
over wrote the existing(10.10.10.x) conn in ipsec.conf file.

[root@ceos71 ~]# cat /var/lib/neutron/ipsec/70e88c46-c6b2-4c8d-afad-76ebd77b55cb/etc/strongswan/ipsec.conf 
# Configuration for vpn10
config setup

conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        authby=psk
        mobike=no

conn 221c6d37-e7a1-4afc-8d0f-4de32df3818b  #### this for 10.10.10.x
    keyexchange=ikev2
    left=192.168.122.202
    leftsubnet=10.10.10.0/24
    leftid=192.168.122.202
    leftfirewall=yes
    right=192.168.122.203
    rightsubnet=20.20.20.0/24
    rightid=192.168.122.203
    auto=route

### added 1 more subnet 30.30.30.x

[root@ceos71 ~]# cat /var/lib/neutron/ipsec/70e88c46-c6b2-4c8d-afad-76ebd77b55cb/etc/strongswan/ipsec.conf 
# Configuration for vpn30
config setup

conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        authby=psk
        mobike=no

conn 7b57fc83-3581-4e86-a193-e14474eef295 ### this is for 30.30.30.x, it over wrote the 10.10.10.x conn 
    keyexchange=ikev2
    left=192.168.122.202
    leftsubnet=30.30.30.0/24 <<<<<<<<<<<<<
    leftid=192.168.122.202
    leftfirewall=yes
    right=192.168.122.203
    rightsubnet=40.40.40.0/24
    rightid=192.168.122.203
    auto=route

3. My understanding is that, it should add new conn to ipsec.conf file,
than overwriting the existing conn. am i right ???

** Affects: neutron
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1478778

Title:
  VPNaas: strongswan: cannnot add more than one subnet to ipsec

Status in neutron:
  New

Bug description:
  I used this patch (VPNaaS: Fedora support for StrongSwan) for vpnaas on centos referring this bug
  https://bugs.launchpad.net/neutron/+bug/1441788

  1. I used a single node with 2 routers, create ike/ipsec/vpn-service/site vpn, the tunnels came
  up fine
  kilo-vpnaas-centos71

  
  10.10.10.x/24--------R1-------------R2-------------20.20.20.x/24

  R1 to R2 on 192.168.122.202, 192.168.122.203.

  2. When i added one more interface to r1 and r2, 30.30.30.x and 40.40.40.x respectively, created
  ike/ipsec/vpn-service/site-vpn, it did not create a new conn in ipsec.conf file, rather, it 
  over wrote the existing(10.10.10.x) conn in ipsec.conf file.

  [root@ceos71 ~]# cat /var/lib/neutron/ipsec/70e88c46-c6b2-4c8d-afad-76ebd77b55cb/etc/strongswan/ipsec.conf 
  # Configuration for vpn10
  config setup

  conn %default
          ikelifetime=60m
          keylife=20m
          rekeymargin=3m
          keyingtries=1
          authby=psk
          mobike=no

  conn 221c6d37-e7a1-4afc-8d0f-4de32df3818b  #### this for 10.10.10.x
      keyexchange=ikev2
      left=192.168.122.202
      leftsubnet=10.10.10.0/24
      leftid=192.168.122.202
      leftfirewall=yes
      right=192.168.122.203
      rightsubnet=20.20.20.0/24
      rightid=192.168.122.203
      auto=route

  ### added 1 more subnet 30.30.30.x

  [root@ceos71 ~]# cat /var/lib/neutron/ipsec/70e88c46-c6b2-4c8d-afad-76ebd77b55cb/etc/strongswan/ipsec.conf 
  # Configuration for vpn30
  config setup

  conn %default
          ikelifetime=60m
          keylife=20m
          rekeymargin=3m
          keyingtries=1
          authby=psk
          mobike=no

  conn 7b57fc83-3581-4e86-a193-e14474eef295 ### this is for 30.30.30.x, it over wrote the 10.10.10.x conn 
      keyexchange=ikev2
      left=192.168.122.202
      leftsubnet=30.30.30.0/24 <<<<<<<<<<<<<
      leftid=192.168.122.202
      leftfirewall=yes
      right=192.168.122.203
      rightsubnet=40.40.40.0/24
      rightid=192.168.122.203
      auto=route

  3. My understanding is that, it should add new conn to ipsec.conf
  file, than overwriting the existing conn. am i right ???

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1478778/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next